Weekly Cyber Risk Roundup: Third-Party Breaches and Apache Struts Issues

Twitter is the week’s top trending cybercrime target after malicious actors leveraged a third-party analytics service known as Twitter Counter to hijack a number of Twitter accounts and post inflammatory messages written in Turkish along with images of Nazi swastikas. Hundreds of accounts were compromised, the Associated Press reported.


Forbes magazine, the Atlanta Police Department, Amnesty International, UNICEF USA, and Nike Spain were among the numerous Twitter accounts hijacked.

A Twitter spokesperson said it removed the permissions of the third-party app, which was the source of the problem. In a series of tweets on Wednesday, Tweet Counter responded to the issue: “We’re aware that our service was hacked and have started an investigation into the matter. We’ve already taken measures to contain such abuse. Assuming this abuse is indeed done using our system, we’ve blocked all ability to post tweets and changed our Twitter app key.”

Twitter hijackings are common, and we do not highlight them in this weekly report very often; however, the Tweet Counter compromise is worth noting due to the supply chain issues it represents. Organizations frequently use third-party services to help manage their numerous social media accounts, and that interconnectedness was one of the central themes of SurfWatch Labs’ annual threat intelligence report. “One of the most telling statistics in all of SurfWatch Labs’ evaluated cyber threat data is the rise of CyberFacts related to third parties,” the report stated. “It is clear that malicious actors are looking for any opportunity to exploit poor cybersecurity practices, and the supply chain provides an abundance of opportunity for cybercriminals to do so.”

Organizations should have a way to track, monitor, and address any issues pertaining to third-party tools and services so they can better manage the increased risk that stems from an interconnected world.


Other trending cybercrime events from the week include:

  • New point-of-sale breaches: A breach at point-of-sale vendor 24×7 Hospitality Technology appears to be behind a series of fraudulent transactions tied to Select Restaurants Inc. locations, Brian Krebs reported. 24×7 issued a breach notification letter in January saying that a network intrusion through a remote access application allowed a third party to gain access to some of 24×7 customers’ systems and execute PoSeidon malware. Multiple Australian schools are warning parents that individuals are reporting fraudulent payment card transactions after Queensland School Photography’s online ordering system was compromised.
  • Yahoo breach leads to indictments: A grand jury has indicted four individuals, including two officers of the Russian Federal Security Service (FSB), over their alleged roles in the hacking of at least 500 million Yahoo accounts. According to the Department of Justice, the FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated, and paid co-defendants Alexsey Belan and Karim Baratov to collect information through computer intrusions in the U.S. and elsewhere.
  • Breaches due to insecure databases and devices: Security researchers discovered hundreds of gigabytes of data from the Warren County Sheriff’s Department exposed due to an insecure network storage device, including a variety of sensitive documents and recordings. A Dun & Bradstree database containing the personal information of 33.7 million U.S. individuals has been exposed, likely due to an unsecured MongoDB database. Dun & Bradstree said that it owns the database, but stressed that the data was not stolen from its systems and that the information was approximately six months old. Thousands of sensitive U.S. Air Force documents were exposed due to an insecure backup drive belonging to an unnamed lieutenant colonel.
  • Ransomware infections continue to be announced: Summit Reinsurance is notifying individuals of a breach after discovering unauthorized access to a server as well as a ransomware infection. The city of Mountain Home, Arkansas, had to wipe the server of its water department and restore the data from a backup after a ransomware infection locked 90,000 files. Metropolitan Urology Group said a November 2016 ransomware infection exposed the health information of patients who received services between 2003 and 2010. Ransomware actors are shifting towards disrupting business services and demanding higher ransom payouts.
  • Other notable cybercrime events: A flaw in the old website of South African-based cinema chain Ster-Kinekor exposed the personal information of up to 6.7 million users. Three is notifying an additional 76,373 customers that their personal information was compromised in a November 2016 incident. Wishbone announced a data breach due to unknown individuals having “access to an API without authorization.” UK travel association ABTA announced that 43,000 individuals had their personal information compromised due to a vulnerability in the servers of a third-party hosting service. Arkansas is investigating whether malware stole the personal information of 19,000 individuals. Cincinnati Eye Institute,  Laundauer, and Virginia Commonwealth University Health System announced data breaches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-03-18_RiskScoresEarlier this month, a patch was issued to address a high-impact vulnerability in Apache Struts Jakarta Multipart parser that allowed attackers to remotely execute malicious code. Shortly after the patch, an exploit appeared on a Chinese-language website,. Researchers then confirmed that attackers were “widely exploiting” the vulnerability. Since then, the issue has continued to affect numerous organizations through data breaches and service downtime.

For example, the Canada Revenue Agency was one of the week’s top trending cybercrime targets after the Canadian government took the website for filing federal tax returns offline due to the vulnerability, temporarily halting services such as electronic filing until security patches could be put in place.  

John Glowacki, a government security official, said during a press conference that there was “a specific and credible threat to certain government IT systems,” and Statistics Canada confirmed that hackers broke into a web server by exploiting the Apache Struts vulnerability. Glowacki also said it was his understanding that some other countries “are actually having greater problems with this specific vulnerability [than Canada].”

Those other instances have not been as widely reported; however, GMO Payment Gateway confirmed a data breach related to the vulnerability. The Japanese payment processing provider announced that an Apache Struts vulnerability led to the leak of payment card data and personal information from customers who used the Tokyo Metropolitan Government website and Japan Housing Finance Agency site. According to the breach notification, the Tokyo Metropolitan Government credit card payment site leaked the details of as many as 676,290 payment cards, and the Japan Housing Finance Agency payment site leaked the details of as many as 43,540 payment cards. The breach was discovered after an investigation was launched on March 9 due to alerts about the vulnerability. Less than six hours later, GMO discovered unauthorized access and stopped all systems running with Apache Struts 2.

Surfwatch Labs analysts warn that users with root privileges running on unpatched Apache Struts are at high risk of being fully compromised, and organizations are encouraged to patch Apache web servers as soon as possible.

“Unfortunately, fixing this critical flaw isn’t always as easy as applying a single update and rebooting,” Ars Technica’s Dan Goodin noted. “That’s because in many cases, Web apps must be rebuilt using a patched version of Apache Struts.”